Panel Takes on Computer Fraud Conviction

SAN FRANCISCO (CN) – Strictly defining unauthorized account access criminalizes even consensual password-sharing, an attorney for a client-swiping head hunter told the Ninth Circuit on Tuesday. The hearing marked the third turn before the federal appeals court for David Nosal, who faces a year a day in prison if this challenge fails. Nosal found himself in hot legal water after he encouraged some former co-workers from the recruitment firm Korn/Ferry to log onto a confidential Korn/Ferry database and send him client information. The employees were allowed to access the database, but Korn/Ferry had a policy against disclosing confidential information. Though the en banc Ninth Circuit trimmed a hacking charge against Nosal in 2012, he was convicted of six remaining counts, including trade-secret theft and unauthorized access in violation of the Computer Fraud and Abuse Act. Nosal was sentenced to 366 days in prison, but a federal judge postponed that term pending his appeal. “I’m not here to defend the conduct,” Nosal’s attorney Dennis Riordan told the three-judge panel on Tuesday. “I’m here to say it’s not a crime.” Riordan said the government’s reading of the CFAA would criminalize “consensual password-sharing.” Given “there weren’t connected computers” when Congress passed the law in 1984, that’s an impossible result of legislative intent, the attorney added. Using the hypothetical of a Russian spy who finds himself in a “honey-pot situation” with his secretary, Judge Margaret McKeown countered that “the question is not of consensual password-sharing.” “The question is of who has the authority to give authorization,” McKeown said. McKeown said she thought the more relevant issue was that Nosal was “going through the back door to get what you can’t through the front door.” Arguing for the government, Jenny Ellickson assured the judges that a ruling for the government “will not have ramifications outside of the employment context.” Ellickson emphasized that the government’s position is that unauthorized access must be intentional to qualify as a crime. “Having the authority to obtain information does not give you access to computers on which that information may be stored,” she added. Chief Judge Sidney Thomas asked the Justice Department attorney to state the limiting principle. “It can’t be employment,” Thomas said. Ellickson responded that it was “whether the person who shares a password is a person with the authorization to do so.” “There is no doubt that there was someone at Korn/Ferry who determined authorization, and there was someone who determined that the defendant should not have a password,” she said. Riordan, with Riordan & Horgan in San Francisco, told the panel they have been “called upon to decide whether a federal statute should be interpreted in an unprecedented and expansive matter that would criminalize minor violations.” “To criminalize that password-sharing is to turn literally millions of citizens into criminals,” he said. The court did not indicate when it intends to rule on the issue.